Cyborg Information Security 
Defense Against The Dark Arts 




Your presenters 



Adam Cecchetti 
- Deja Vu Security 
Esteban Gutierrez 



Why are you here? 

Cyborgs are awesome 

Dead cyborgs are less awesome 




(Unless we are at war) 



Technology and Humans 

Humans modify themselves with technology 

-Tools : 

• Shovel, Bow and arrow, contact lenses, SEM 

- Chemicals : 

• Caffeine, "Heroine never hurt my record collection" 

- Machines 

• Cars, Planes, Trains, Space Shuttles, Power suits 

- Computers 

• Infinite collective information works and computational 
power 



More Technology and Humans 

Past augmentation has been for the most part 
external 

- You can put down a tool 

- Turn off your phone (iphone or Gl) 

- Stop drinking caffeine* 

- Fix a wrecked car 

- Format your computer 



(lies) 



Technology in Humans 

• Technology becomes a part of you 

• Implants (for the immediate future) can't: 

- easily be removed 

- updated 

- patched 

- accessed 

- upgraded 




What is a Cyborg 



A integration of biological organism and 
technology into a whole 




a cyborg being detained by a robot 




The war has already started 



Why now 



the Hospital Age 

- Largest group of hospital aged individuals are 
about to walk in for advanced medical care. 

- Many of these people are going to leave with one 
or more devices in them. Ranging from a pin to a 
personal area network. 



Thank you, Baby Boomers 
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We've already failed 



Bluetooth hearing aids 

Sync with cell phone to pipe call audio directly to 
device. 

Pairing password "0000" 




We've already failed 



WU work 

Implantable 
cardiovascular 
defibrillator (ICD) 

Designed to be remotely 
controlled over an 
unencrypted wireless 
protocol. 




No for real we've already failed 

• Deep Brain Electrode implants (DBS) 

• Programmed wirelessly from handheld device 

• Send electrical signals to the deep brain 




Did I mention we failed? 



Medical reporting infrastructure is largely 
phone/ VoIP based. 

Next generation is GSM + GPS enabled. 

M2M, PCN 



Programmer 




Programmer 




We're not the first. 

Endless sci-fi and anime writers 

Kevin Fu - Medical Device Security Center 

Gadi Evron, Kohno, Denning 

Bruce Schneier 

Many of you 



Our Focus 

• Is not on: 

- specific device, 

- privacy, 

- HIPAA, laws, or ethics 

• Policy is not a solution to this problem 

- Attackers don't follow the rules 

- Defenders have to stop attackers 

• Our focus is Attack and Defense 

- define cyborg security landscape 

- Scenarios 

• Attacks and required tools 

• Defense and needed technology 



Ethics? What, Ethics? 




The Cyborg landscape 

How do understand how we modify ourselves 

- So that we can attack it 

- So that we can defend it 
Quinn Norton ("Body Hacking"): 

"The body is just another programmable system" 
Neuroplasticity makes it so. 



Cyborg Functional Matrix 



Restore Enhance Augment 



Physical 


1 


Physical 


1 


Physical 



Sensory 



Sensory 



Sensory 



Cognitive 1 1 1 Cognitive I 1 1 Cognitive 



Restoral 

Happening today 
Restore Primarily Medical 



• Prosthetics, ICD , Penis Implants, 



• Hearing Aids, Lasik, Contacts 



Plasticity, PTSD, Rehab, TMS 



Enhancement 




Active Area of research for Medical, 
Military, Commercial and DIY culture 

• Powered limbs 

• night-vision, telescopic, better hearing, 

• caffeine, provigil, physical memory 
integration, neural control of limbs, 
combat training, TMS 



Augmentation 



Today: Sci-fi and Research 

Later: Military, Commercial and Mainstream 
Augmentative cu , ture 

fore-arm guns, wings, tails, additional limbs 

Magnetic sense, Thermal imaging, sub-vocal 
hearing, pressure, etc 



Interface with hippocampus, long term 
storage (SSD in your head), added neural 
capacity, ??? 



Vulnerability Landscape/Threat Matrix 



Working on a cyborg threat model 





We're doing it wrong before there is 
anything to be done 

Defense 

- Firmware, Code, Firewalls, IPS/IDS, Monitoring 

- Update/ Patching 

- Cloaking, audible alarms, proxies 
Attack 

- Recon, MiTM, Injection, Control, 

- Reversing 

- Communications 



Human factors: Defense 



Drugs 

Meditation 

Rest 

Surgery 

Will 

Perception 




Human Factors: Attack 

• Plasticity is the new target 

- Growth of new neural pathways (malicious, controlled, 
etc) 

• Stimuli 

• Behavioral psych: 

- Pavlovian response 

• Addiction 

• Breaking Barriers 

- physical 

- psychological 




// 



Real" World Examples 



Today 

Tomorrow 

Beyond 



Today: Troubled Ticker 

• Focus is on "Restoral" 

• Help desk ticket from CEO assistant. 

• "Please unblock firewall for Medical Remote 
monitoring only from CEO laptop." 

- Turns out the CEOs health is more important than 
your policy. Ask the shareholders. 

• Defibrillator IPhoneApp 

• Deep Brain Stimulator 




Tomorrow: 

Focus is on "Enhance" 

Pacemaker O-day sent to a retirement home 

EMP Rubber bullets 

Enemy hack of sniper eye implant right before 
trigger pull 

Political hack: "Smack in the face" 

SPAM (e-ink tattoos) 

Vendor for your tech goes out of business 

who's going to patch your arm's firmware? 

(Open standards could prevent) 



Beyond 

• Focus is on Augment 

• DRM for your senses 

- not having Optical implant licensing for your PDF 

• For some reason,! can stop going to 
McDonalds. 

• Ubiquitous computing 

• Technology changes fast 

Parallel > Serial > USB > USB2 > Wireless USB> USB3 



Social Class 

"Mommy, why can't I see the art?" 
"Because, I couldn't afford the license." 

2 nd hand market for implanted tech 
Hand me down tails/eyes/neuronal clusters 



Conclusions 

• The industry has failed already 

• It's highly likely that most of you in the 
audience under 40 will be getting an implant 
before you die 

• Policy and compliance is not solution 

• Proprietary implementations are not a 
solution 

• It's being done wrong (scada, m2m y repeating 
mistakes) 



Where to go from here? 



Ask a lot of questions when you get an 
implant 

Other organism besides humans 

Hack grandpa (we kid we kid) 



Questions 

emails 

adam@deiavusecurity.com 

infoape@gmail.com 
Twitter 

@adamcecc 

@infoape 



backup 

and some other unfinished thoughts. 



Defense 



Restore 



Physical 



Sensory 



Cognitive 



"Cloakers" 

Secure coding 

Symetrical encryption 

Governers 

Firewalls, AV, audible alarms 

telemetry (heat, logs) 

SEIM For your PAN 



Limbs 

Signal theft 

- replay, reinterpretation 

- Feedback to patient 

- Malware on device, bad firmware 

- Overclock/override device 

- DOS 

- Eaves dropping through arm controls 

• Pin/password capture 

• What was the person doing 



Limbs 

Signal theft and re-interpretation: 
control of limb 

Bad feedback to the patient 

Malware on the device 

Overriding controls (more strength, etc) 

Denial of Service (freeze limb) 

Eavesdropping through monitoring of limb 
communication (Wireless or wired). 

What keys were typed? 

What is the person doing 

Capture of signature 



